Continuous Compliance Assurance for 
Trusted Information Sharing: A Research Framework 


Bonnie W. Morris* 
Division of Accounting 
College of Business & Economics 
Bonnie.Morris @ mail.wvu.edu 
304 293-7851 


Geoffrey Shaw 
Senior VP, Risk Assessment and Policy Compliance 
VIACK Corporation 
Cynthia Tanner 
Lane Department of Computer Science and Electrical Engineering 
College of Engineering and Mineral Resources 
George Trapp 


Lane Department of Computer Science and Electrical Engineering 
College of Engineering and Mineral Resources 


West Virginia University 
Morgantown, WV 26506-6025 


*Primary Contact 


September 2007 


Funded in part by a grant from VIACK Corp. 


Continuous Compliance Assurance for 
Trusted Information Sharing: A Research Framework 


Abstract 


There are many situations in business, law enforcement, and intelligence analysis where 
it is mutually beneficial for two or more organizations to share private information. 
Often, organizations do not share information because they do not trust potential 
information sharing partners to provide adequate security for the shared information or to 
comply fully with terms and conditions for sharing. We argue that such concerns can be 
addressed by exchanging information through a trusted enclave or trusted clearinghouse 
that ensures the security of data and provides for continuous assurance of information 
sharing policy compliance. This paper presents a research framework for the 
development and implementation of a trusted enclave that includes social, behavioral, 
and economic issues related to trust and incentives; technology based issues related to 
semantic modeling and ontology development for representing policies, data quality 
metrics, and levels of assurance; and practice based issues related to provision of 
continuous compliance assurance in this context. 


Continuous Compliance Assurance for 
Trusted Information Sharing: A Research Framework 


There are many situations in business, law enforcement, and intelligence analysis where 
it is mutually beneficial for two or more organizations to share private information. In 
many cases, the organizations do not share information because they do not trust potential 
information sharing partners to provide adequate security for the shared information or to 
comply fully with terms and conditions for sharing. We argue that such concerns can be 
addressed by exchanging information through a trusted enclave or trusted clearinghouse 
that ensures the security of data and provides for continuous assurance of information 
sharing policy compliance. 


A trusted enclave will provide a means of creating a market for the exchange of data. 
Organizations will have a venue for identifying new qualified data sharing partners, a 
means of measuring the quality of data from new or existing data exchange partners, 
measuring the quality of the results of data sharing, and a means of measuring the impact 
of changes in information sharing policies. In short, the proposed model of trusted 
information sharing through a secure enclave supported by continuous policy compliance 
assurance will allow organizations to better measure the effectiveness of their 
information sharing risk assessment. 


Our research is very specifically aimed at better understanding, articulating and 
addressing these specific issues. This paper presents a research framework for the 
development and implementation of a trusted enclave that includes social, behavioral, 
and economic issues related to trust and incentives; technology based issues related to 
semantic modeling and ontology development for representing policies, data quality 
metrics, and levels of assurance; and practice based issues related to provision of 
continuous compliance assurance in this context.Background 


Managing Interdependent Risk and Improving Efficiency 


Often, the motivation to share information is driven by desire to reduce shared risks and 
improve operational efficiency. For example, supply chain partners share the use of 
resources such as ports, docks, freight consolidation facilities, railroad yards, and 
trucking facilities, they share many sources of risk. These shared risks create 
interdependencies and create the need for better information to assess and manage those 
risks. The risks relate to operational threats such as congestion and delays due to weather 
or equipment malfunction, and security threats from criminal behavior, sabotage, and 
terrorism. 


Sharing information about logistics, shipments, excess capacity, information about 
manmade and natural hazards, risks related to people (crew, dock workers, etc), cargo, as 


well as information shared in the vertical supply chain (production schedules, projected 
sales, etc) can improve the efficiency and security of the global supply chain. 


It is widely believed that the US trade is reaching the capacity of its ports and related 
logistics capabilities. The only way to increase trade is by improving the efficiency of the 
operations. Shared data related to capacity and freight flow can be used to better 
coordinate and optimize the processes, and reduce congestion and delays. 


Shared information about personnel and the origin and contents of cargo containers can 
be used to assess and mitigate risks related to criminal or terrorist behavior. 


Supply chain members are reluctant to share such information, however, because they 
worry about: 

e Opportunistic behavior of information trading partners 

e Antitrust violations if improper sharing takes place 

e Possible privacy law violations 

e Inadequate security of shared data 


Law enforcement and intelligence agencies do not have antitrust concerns, but they do 
have concerns about privacy policy violations and inadequate security. They do not 
compete in the same way that the private sector commercial organizations do, but there is 
competition across jurisdictions and agencies. The same individuals or organizations 
may be under investigation by multiple agencies at the same time. Because each agency 
wants to see its case successfully closed, it may be reluctant to share. In addition to 
competition issues, they are concerned that sharing information may allow others to infer 
and possibly leak information about their data sources and methods. Such leaks may 
jeopardize the safety of sources, compromise cases under investigation by tipping off 
suspects, and harm the reputation of individuals or organizations that are being 
investigated but are subsequently found to be innocent or not involved. 


Law enforcement also has other specific concerns about the timing of the release of data. 
What law enforcement agencies are allowed to release about a case changes over the 
course of the judicial process. Arrest records are public and are often published in 
newspapers. Court dockets are public information and the court’s proceedings generally 
are open to the public. Once a case has been adjudicated, however, different rules apply. 


Much has been written about the need to “connect the dots” to improve homeland 
security. “Connecting the dots” is dependent on timely sharing of information across 
government agencies. 


In March 2006 the GAO (GAO-06-385) reported that “the nation still lacks government- 
wide policies and processes needed to build an integrated. ..information-sharing 
roadmap...” In the area of Homeland Security, there is a critical need to have the private 
sector share information with the government. It is estimated that 80% of the nation’s 
critical infrastructure (e.g. power, telecommunications, healthcare) is held by the private 
sector. Information about threats, vulnerabilities and other critical information are 


critical to enhancing security. In May 2005, the GAO, in reporting on Department of 
Homeland Security efforts to foster information sharing (GAO 05-434), identified the 
following barriers to sharing with the government: 


= fear of release of sensitive information, 

= uncertainty about how the information would be used and protected, 

=" lack of trust in DHS and 

= inconsistency in the usefulness of information shared with the private sector by 
DHS (p. 11). 


Risk of Sharing 


The lack of trust between potential information sharing partners is not without merit. 
Every week, it seems, there is a report of a stolen laptop or missing hard drive containing 
confidential or personal private information of customers or employees, or other security 
breaches that jeopardize the security of data. 


Many organizations lack basic access controls. Reports of former employees, 
consultants, and subcontractors who retain access to sensitive information systems long 
after their relationship with the organization has ended are common. A report from the 
University of Michigan estimates that 70% of identity theft is attributable to insiders. It 
occurs when employees or others who have been given access to employee or customers’ 
non public private information steal it and sell it. 


When two or more organizations agree to share information, each typically sends its data 
to the other or one allows the other to access and download information from its systems. 
Either way, the Provider’s shared data is now under the control of the User and subject to 
all the vulnerabilities of the User’s systems and data. Providers must rely on Users to 
protect the data, to comply with privacy policies, and to avoid unauthorized secondary 
use that could adversely affect Provider (opportunistic behavior) or result in antitrust 
violations. The problem is further complicated by the fact that once Provider’s datasets 
are stored on Users’ system, they may be merged with other data and disconnected from 
information about their origin and restrictions on use. 


Another important problem with sharing data in this fashion is the difficulty of correcting 
errors. Good practices for treating private employee or customer data require that the 
data subject be allowed to view relevant stored data and correct errors. When that data 
has been shared with others, errors propagate and are difficult to correct. 


The risk of sharing is significant when there is only one Provider and one User. 
Typically, however, the situations in which information sharing is most critical involve 
multiple Users and multiple Providers (with each organization acting both as a provider 
and a user of others’ data). The risk to a Provider’s data is additive; it is the sum of the 
risk at each User and it quickly becomes significant. 


Trusted Enclave 


Multi-organization sharing can be accomplished in a secure and policy compliant manner 
through the use of a trusted enclave or clearinghouse. In this model, shared data are 
stored within the enclave. Data fusion and analysis applications run within the trusted 
enclave. Access to data by applications or users is mediated by automated sharing policy 
enforcement and is logged into immutable audit logs. The results of fusion and analysis 
applications sent to users are also mediated by sharing policy enforcement and logged in 
immutable audit logs. Data access by individuals and applications is continuously 
verified for compliance with the information sharing rules through assurance provider 
access to the audit logs. The physical and logical access to the trusted enclave must be 
locked down to prevent leakage of data by intentional or accidental acts by employees or 
hackers. To the extent possible access controls, communication controls, change 
controls, and other general controls within the operations of the enclave are automated 
and subjected to continuous assurance, as well. 


In this environment, User personnel do not have access to view Providers’ data unless 
there is a specific policy that allows it. Instead, User’s personnel see the results of User’s 
applications for fusing Providers’ data with its own and others but not necessarily the 
details of any one Provider’s entire dataset. 


Law enforcement, for example, will not be able to see or directly query the entire list of 
individuals under investigation or any details about the specific cases being investigated 
by other agencies. There will be “anonymized” sharing or matching of data, so that, in 
accordance with pre-determined rules, an agency will be notified when a person of 
interest in one of its investigations also turns up as a person of interest in another 
agency’s investigation. In this way, we can “connect the dots” without disclosing other 
information. 


Shipping lines, trucking companies, and railroads can share employee or crew data to 
identify cases of conflicting data such as two or more individuals using the same identity 
or individuals who have had licenses suspended in another region without violating 
employee privacy. Only discrepancies are reported in accordance with pre-determined 
policies. In effect, the concept of “need to know” sharing can be implemented and 
enforced. 


Tightly controlled systems can be implemented in the trusted enclave. Most 
organizations simply do not see the business value in locking down their operations to 
this extent. When they weigh the benefits of more secure data and systems against the 
perceived cost in terms of reduced productivity, they often choose not to implement the 
tight security measures necessary to achieve this level of control. DoD and Intelligence 
agencies might be exceptions, at least in terms of the way they handle classified 
information. But, their reluctance to trust other agencies with sensitive data remains as 
reported by GAO. 


It is difficult or impossible to provide independent verification of policy compliance in 
the typically porous control environment of most organizations. Most employees have 


access to computers with printers, DVD burners, and USB drives. Any data that they are 
allowed to access in the course of their work duties can be downloaded and removed 
from the premises with little fear of detection and often no event logs to record the 
actions. The opportunities for data to leak out of an organization, intentionally and 
accidentally, are enormous. 


Research Framework 


Trust and the value of assurance services 


There are many technical challenges to implementing a trusted enclave environment. The 
social, behavioral, and economic issues may prove most challenging, however. 


A number of IT based initiatives aimed at strengthening homeland security and public 
safety have been abandoned because the technology solutions failed to adequately 
address the public’s privacy concerns. The Total Information Awareness Program (TIA) 
and Computer Assisted Passenger Pre-Screening System (CAPPS II) and the Multi-State 
Anti-Terrorism Information Exchange Program (MATRIX) have been abandoned. 


Before it was abandoned, the MATRIX website stated: 


“The Multistate Anti-Terrorism Information Exchange (MATRIX) pilot project 
leverages proven technology to assist criminal investigations by implementing 
factual data analysis from existing data sources and integrating disparate data 
from many types of Web-enabled storage systems. This technology helps to 
identify, develop, and analyze terrorist activity and other crimes for investigative 
leads. Information accessible includes criminal history records, driver's license 
data, vehicle registration records, and incarceration/corrections records, 
including digitized photographs, with significant amounts of public data records. 
This capability will save countless investigative hours and drastically improve the 
opportunity to successfully resolve investigations.” 


The technology worked well--Perhaps too well. As the power of the search was 
demonstrated, concerns over the amount of information that could be had about 
individuals with just a few keystrokes caused great alarm among the public, the ACLU 
and other privacy groups, and the officials of some of the participating states. MATRIX 
began with sixteen state participants. One by one, states dropped out, usually citing 
concerns about privacy and security, until it died with only four participants at the end. 
Neither the public nor the states were willing to trust that the rules for accessing data 
would be enforced. Initially, there was no mention of an independent audit function. 
After concerns were expressed, the Florida officials who were administering the program 
indicated that they would monitor for compliance. That did not satisfy the critics. 


Similar outcomes were realized for the CAPPS II and TIA programs. Although both 
programs faced huge technical challenges, they were abandoned because of the concerns 
over privacy and civil liberty violations, not because of the technological challenges. 


We argue that a key part of the problem is information asymmetry. Further we argue 
that independent third party verification or policy compliance assurance can address 
information asymmetry. Researchers at Wharton, using game theory analytical 
approaches, have found that independent third party verification is preferable to 
command-and-control approaches in enforcing compliance with safety standards 
designed to avert major catastrophes in the chemical industry (Kunreuther, et al. 2002). 


An unpublished pilot study of the public’s confidence in government compliance with 
privacy policies found that respondents were less confident of the government’s 
compliance with stated policies when the use was subjected to continuous audit (Nelson, 
2004). Perhaps this was skewed by the public’s view of the effectiveness of audit in the 
wake of Enron and other scandals. 


This leads to a number of interesting research questions to be addressed through 
analytical and empirical studies: 


e Will independent Continuous Compliance Assurance increase trust among 
potential information sharing partners and the public? 
e If so, who will they trust to provide the assurance? In the private sector, CPAs 
have several advantages 
o A reputation for providing assurance on financial statements and other 
matters 
o Professional Standards for providing assurance services including Trust 
Services 
o Knowledge of privacy principles as demonstrated by the promulgation of 
Generally Accepted Privacy Principles 
o Potentially deep pockets (important as these assurance services are a 
means of sharing risk) 
e Who will government and law enforcement trust to provide assurances? Will the 
CPAs’ advantages hold for the public sector? What alternatives are there? 
e Will different data providers require different levels of assurance? If so, how will 
we specify levels of assurance 
e What form should the communication of assurance take? 


Additional technical issues related to the provision of continuous assurance are discussed 
below. 


Incentives to Share 
In order to get organizations to share data, the perceived benefit of sharing must equal or 


exceed the cost of sharing. So far, the discussion has focused on the cost side of the 
equation. The cost of sharing is the expected value of loss from the risk of non- 


compliance with the information sharing policies. That is, it is the risk that shared 
information will not be secured from unauthorized access or disclosure, will be used for 
other purposes than those for which it was shared to the detriment of the organization, or 
that privacy laws or antitrust laws will be violated as a result of sharing. Sharing through 
a secure trusted enclave with continuous compliance assurance reduces the assessed level 
of risk of noncompliance. 


The benefit is measured by what is received in return for shared data. The exchange of 
information may be mediated by money or data from other providers. In either case, 
there must be some assessment of the quality of the data provided. Sharing data through 
a trusted enclave means that the User cannot view the Provider’s dataset in order to judge 
its quality. Instead, data quality metrics must be used to specify the quality required for a 
particular data fusion or analysis task. 


There are many dimensions to data quality (Pipino,et al 2002). It is difficult challenge to 
assess the level of quality when the entire dataset is available for perusing and querying. 
In fact, most of the prior research pertains to measuring quality of data within an 
organization’s own databases. There are many sources of conflicting data within an 
organization (Wang and Strong, 1996; Strong, et al, 1997) that can adversely impact the 
decisions making process. 


In the proposed trusted enclave environment, users must specify either directly or 
indirectly, the data quality requirements for the intended use. First, data quality criteria 
must be defined and then data quality metrics for each criterion must be established. 
Finally, the user must specify the desired level of quality across the various dimensions. 


To understand the challenge, consider how difficult it would be to buy the right produce 
at the market if you weren’t able to look at what was available. The quality measures 
might include size, color, weight, perceived ripeness. The “right” choice, i.e., the 
appropriate measure for each quality dimension depends on the intended use or the 
decision context. The quality of the fruit for a gift basket is likely to be different from the 
quality required for making jam. Not only do the required quality levels vary with the 
context, but so do the weightings of the criteria. 


Further complicating the problem, the ideal quality product may not be available at any 
given time. When that happens, we need to define the “best available” and then decide 
whether that is “good enough” for the intended purpose. Sometimes, when the quality of 
the product is not obvious (e.g., whether pesticides were used on the fruit), it is necessary 
to rely on brand name, certifications, or reputation of the provider. So, some of the 
quality measures are about the product and others are about the reliability of the source 
and/or its processes. 


Returning to the specifics of the data quality assessment problem in the proposed trusted 
enclave, both business intelligence and national security intelligence analysts are faced 
with additional complicating factors. Data subjects may intentionally distort information 
for their own gain or simply to avoid disclosing private information. Some data 


providers may be data subjects. Others may have collected the data directly from 
subjects (e.g., their employees, customers, or vendors), or they may be secondary users of 
the data themselves (i.e., they are providing data they obtained from another source other 
than the subject). Data “provenance” is important. 


Finally, when the output of the data sharing is the result of data fusion or analysis 
applications, the Users will be concerned about the quality of the fusion application 
results and the fusion gain, in particular. That is, the improvement in decision quality (or 
reduction in uncertainty) resulting from the fusion of multiple sources of data. Data 
fusion gain is a joint function of the quality of the fusion algorithm and the quality of the 
data input. 


The ability to measure data quality and data fusion gain provides useful feedback to 
decision makers who must set their information sharing policies. In weighing the costs 
and benefits of information sharing, organizations will be better able to assess the benefit 
as measured in the data quality metrics and balance that against the perceived risk of 
policy non compliance. 


This leads to several interesting research questions: 


e What are the relevant data quality criteria? 

e What are the relevant data quality metrics? 

e How can measures of data quality criteria be combined for concepts such as 
“best available data” and “minimally acceptable level” of quality? 

e How can we measure data fusion gain? 

e What are the dimensions of data provenance that are needed to measure quality? 

e Can data quality requirements be specified indirectly (i.e., inferred from the data 
fusion application or from information about the other data available)? 

e How does the ability to measure data quality and data fusion gain allow us to 
better assess the risk of information sharing and the effectiveness of our 
information sharing policies? 


Policy Representation 


In the proposed trusted enclave approach to information sharing, terms and conditions of 
sharing, or information sharing policies must be stated in a form that can be implemented 
as a set of rules. 


Much of research into policy-controlled systems focuses on controlling access to 
resources and ensuring data privacy. In many cases the existing research refers 

policies to control access in systems that rely on a relatively fixed set of resources, users 
and services. E-PAL and XACML are both used to model privacy policies. 


10 


EPAL is a language for writing enterprise privacy policies to govern data authorization 
rights. It provides a means of encoding privacy related data handling policies in a way 
that can be imported and enforced by an application. 


EPAL represents a privacy policy as a set of privacy rules. The rules are arranged in an 
ordered list with descending precedence. If a rule in the list fires, then the remaining 
rules in the list are ignored. Rules consist of a user or user category, an action, a data 
category, a purpose and whether access is denied or permitted, and, optionally may 
contain conditions and obligations. 


User and data are arranged in parent-child hierarchies with inheritance. Attributes of the 
parent are inherited by the child. A parent may be accessed only if all of the child 
instances in that category allow access. Anderson (2006a). 


Damiani et al. 2006 and Anderson (2006) note that EPAL provides only a subset of the 
functionality that can be provided by XACML.” Other research has pointed out other 
EPAL shortcomings, including the fact that its rule selection algorithm makes it 
impossible to automatically combine two EPAL policies (Barth and Mitchell, 2005). 
Stufflebeam, et al, (2004) note another limitation is that EPAL is intended to implement 
privacy policies as they relate to website or transactional systems, not the organization’s 
overall privacy practices. 


XACML (eXtensible Access Control Markup Language), a standardized policy 
management and access control markup language, was approved by OASIS in February 
2003. It defines a mechanism to create policies and rules for controlling access to 
information. It contains a general policy language that allows organizations to define 
access control requirements for information and resources. XACML distributes policy 
rules and sets for management purposes but combines the results into a single decision 
for enforcement purposes. 


In an XACML environment, an access control request contains three entities, together 
called the target: a subject, a resource and an action. Each part of the target contains 
attributes that further define the request. The request can contain multiple subjects but 
only one resource and action. The target describes, through attributes, the subject making 
a request for permission to perform some action on a resource. XACML either permits or 
denies the request, and optionally performs a series of obligations, mandatory actions 
performed along with the decision. The Policy Decision Point (PDP) evaluates the 
relevant policies and rules for the target. The PDP accesses policies via the Policy 
Access Point (PAP), the process responsible for creating and maintaining the policies and 
policy sets. 


An XACML policy consists of a set of rules, a rule combining algorithm, a set of 
obligations and the target. When the PDP processes a request, only those policies whose 
target attributes match the request’s target attributes are considered in the evaluation. 
Each policy contains multiple rules. Each rule contains the conditions, statements about 
the attributes that return either: true, false or indeterminate, the effect: permit or deny 


11 


result of condition being satisfied, and the target, which determines if the rule applies to 
this particular request. The rule evaluates as indeterminate if the condition responds that 
way, not applicable if the condition returns false and either permit or deny if the 
condition returns true. The policy also contains a rule-combining algorithm, which 
resolves conflicts to form a single result per policy per request. 


The result of the policy evaluation, the response, contains the decision: Permit, Deny, Not 
Applicable, or Indeterminate, status information: why the evaluation failed for example, 
and obligations, which are optional. XACML seems to be suited to limiting access by 
individuals or applications to stored data. It functions by controlling what can be 
requested. 


We argue that information sharing policies are much more than just access controls, 
however. In addition to modeling the Providers’ specific sharing restrictions and privacy 
laws and regulations for accessing the initial data provided, information sharing policies 
must control the output of data fusion applications that use the data provided. See Figure 
Ie 


Additionally, modeling information sharing policies as access controls addresses only 
part of the economic event that information sharing activities comprise. In most cases, 
Providers aren’t simply donating their data with restrictions on its use. They wish to get 
something of equal value in return. It may be money—a straight financial transaction. 
Or the Provider may wish to receive information of equal quality in return. For example, 
the Provider may share data in order to benefit from the data fusion gain—the increase in 
the value of merging its data with that of others. In order to execute an information 
sharing contract the Users must specify their data quality requirements for the data fusion 
input and have a means of evaluating the data fusion gain of the output. 


There are many types of information sharing participants. They can be categorized by 
the nature of the organization (public, private, law enforcement, regulatory, etc) or by 
their nationality. There are different internal information sharing policy requirements for 
each type. Additionally, the applicable laws and regulations related to required sharing 
(e.g. Port Security information requirements) and sharing restrictions (e.g., different 
privacy laws for different jurisdictions. Therefore information sharing policies will have 
to include provisions for conflict resolution and mediation and specification of 
jurisdictions. 


There are a number of existing, potentially relevant data models that will have to be 
considered in modeling and implementing information sharing policies. The Global 
Justice XML Data Model (Global JKDM) is intended to be a data reference model for the 
exchange of information within the justice and public safety communities. For financial 
transactions and reports, there are the ebXML and XBRL data models. 


There are a number of interesting research questions related to information sharing policy 
representation, such as: 


12 


e How should information sharing policies be represented? Can we develop an 
information sharing ontology? 

e How should data quality requirements be defined and represented in the sharing 
policies? 

e Can we identify a semantic model of sharing types, participants, purposes, 
conditions, conflict remediation strategies 

e Can we identify prototypical sharing rules and create a repository to reduce the 
policy negotiation burden. 

e Some of the technical areas related to policy representation to be explored 
include 
= methods of meta data extraction, 
= ontology merging and related semantic integration concepts 
=" automatic classification of data 


Continuous Compliance Assurance 


We argue that a secure, well controlled, enclave that is designed to enforce information 
sharing policy compliance is necessary, but it is not sufficient to address the concerns of 
Providers and Users. A well secured, enclave reduces the risk of misuse of data and 
lack of adequate security by the data users. Independent assurance of policy compliance 
will reduce uncertainty about the adequacy of the controls and risk of misuse of data by 
the trusted enclave. 


The AICPA’s Trust Services principle and Generally Accepted Privacy Principles 
provide a framework for designing some of the assurance services procedures. Some of 
the questions that arise in the context of continuous audit of financial reports are relevant 
to the information sharing context, as well. For instance, questions about the nature of the 
assurance report, its frequency and form, and questions about who should pay for the 
services are applicable to the information sharing context. 


With respect to the issue of data quality, the data providers, fusion application providers, 
and/or trusted enclave provider will make assertions about the data quality. Assurance 
services procedures related to data quality will be a function of the nature of the data and 
the assertions, the definition of the data quality metrics which provide the required 
criteria, and the required assurance levels of the users. Users will also have to define 
concepts such as “significant departure” from the stated criteria. 


When one or more of the information sharing partners is a government agency or law 
enforcement agency, it is not clear who they will trust as the assurance service provider. 
In some cases, there may need to be a review by the agencies internal control group (e.g., 
Office of Inspector General) or the GAO. A SAS 70 type audit may be needed to provide 
the internal agency auditors with assurances about the trusted enclaves control 
environment. If they wish to test the transaction data, the trusted enclave will have to 
provide a means of segregating the transactions that pertain only to the pertinent agency. 
It is likely that the trusted enclave’s assurance provider will have to give a similar 


13 


auditor-to-auditor assurance that the set of transactions provided to the agency auditors is 
the entire population that involve the given agency. 


Providers and users will vary in their risk appetite and in the sensitivity of the data and 
data quality requirements. The level of assurance required will vary accordingly. 
Therefore, it is may benecessary to develop a means of specifying the required level of 
assurance as part of the information sharing policy. This raises some interesting game 
theory based research questions about the optimal level of assurance that a participant 
should require in a multi-organizational environment. 


Some additional research questions related to the provision of Continuous Compliance 
Assurance include: 


e What type of assurance report should the assurance provider issue? Evergreen 
reporting or exception reporting? 

e Is the level of assurance just another policy that should be specified by the data 
provider and data user? 

e Who should pay for the assurance service? 

e What legal representations are required? How often will they be refreshed? How 
does that affect the compliance report? 

e What needs to be logged for testing by the auditors? 

e What type of audit testing functionality is needed to ensure compliance? 

e For assurances related to data quality metrics, how do we to define “significant 
departure” ? 

e Do we need new standards for auditor to auditor communications ? 


Conclusion 


Continuous compliance assurance is a means of creating trust among information sharing 
partners. Most organizations have not reached the level of information security maturity 
to support effective continuous compliance monitoring. The alternative it so use a secure 
enclave designed to support continuous assurance of compliance with policies for sharing 
sensitive, confidential, or private information. The trusted enclave approach has many 
advantages, including the ability to measure the effectiveness of policy noncompliance 
risk and the related benefits arising from the use and assurance of data quality metrics. 


This paper provides a framework for related research. It has outlined many research 
areas related to the provision of continuous assurance of information sharing policies in a 
trusted enclave environment. The purpose of this paper is to stimulate research in this 
area. 


14 


References 


Anderson, A., A Comparison of Two Privacy Policy Languages: EPAL and XACML, 3 
November 2005; Sun Labs Technical Report. Available at 


http://research.sun.com/techrep/2005/abstract-147.html 


Barth, A., and Mitchell, J.C. Enterprise privacy promises and enforcement, ACM 
WITS'05, January 10, 2005, Long Beach, CA, USA. 


Bellot, David, Anne Boyer, Francois Charpillet. A New Definition of Qualified Gain in a 
Data Fusion Process: Application to Telemedicine (2002) The Fifth International 
Conference on Information Fusion - FUSION'2002 


http://citeseer.ist.psu.edu/bellot02new.html 
Damiani, E., S.DeCapitani diVimercati, P Smarati, Privacy Enhanced Authorizations and 


Data Handling. http://www.w3.org/2006/07/privacy-ws/papers/3 1-samarati-privacy- 
enhanced-authorizations/ Accessed January 31, 2007. 


Griffin, Phil, Introduction to XACML, http://dev2bea.com/Ipt/a/339. 


IBM, XML Security: Control Information Access with XACML, 
http://www-128.ibm.com/developerworks/xml/library/x-xacml/. 


Kunreuther, H.C., P.J. McNulty, Y. Kang, 


Motro, Amihai and Igor Rakov. Estimating the quality of databases. In Proc. of the 3rd 
Int. Conf. on Felxible Query Answering Systems, Roskilde, Denmark, May 1998. 


Springer Verlag. http://citeseer.ist.psu.edu/motro98estimating.html 


Pipino, Leo L., Yang W. Lee, and Richard Y. Wang. 2002. Data Quality Assessment. 
Communications of the ACM April: 211-214. 


Strong, D. M. Y. W. Lee, and R. Y. Wang. 1997. Data Quality in Context. 
Communications of the ACM, May 40(5):103-110. 


Stufflebeam ,William H. , Annie I. Antén, Qingfeng He, Neha Jain, Specifying privacy 
policies with P3P and EPAL: lessons learned. WBES 2004. 35 


Wang, RY, and D Strong. 1996. Beyond Accuracy: What data quality means to data 


consumers. Journal of Management Information Systems (March), Vol. 12, No. 4, 5 — 
33. 


15 


Trusted Enclave 


Provider 1 


Provider 2 


Provider 3 


Fusion/ 
analysis 


